CompTIA CompTIA Certifications CS0-002 Questions & Answers

• Question 831:

  An organization has the following risk mitigation policies

  Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000 Other nsk mitigation will be pnontized based on risk value.

  The following risks have been identified:

  

  Which of the following is the ordei of priority for risk mitigation from highest to lowest?

  A. A, C, D, B

  B. B, C, D, A

  C. C, B, A, D

  D. C. D, A, B

  E. D, C, B, A

  Correct Answer: C

  Explanation: The order of priority for risk mitigation from highest to lowest is C, B, A, D. This order is based on applying the risk mitigation policies of the organization. According to the first policy, risks without compensating controls will be mitigated first if the risk value is greater than $50,000. Risk C has no compensating controls and a risk value of $75,000, so it is the highest priority. Risk B also has no compensating controls, but a risk value of $40,000, so it is the second priority. According to the second policy, other risk mitigation will be prioritized based on risk value. Risk A has a risk value of $60,000 and a compensating control of encryption, so it is the third priority. Risk D has a risk value of $50,000 and a compensating control of backup power supply, so it is the lowest priority.

• Question 832:

  Which of the following is the BEST option to protect a web application against CSRF attacks?

  A. Update the web application to the latest version.

  B. Set a server-side rate limit for CSRF token generation.

  C. Avoid the transmission of CSRF tokens using cookies.

  D. Configure the web application to only use HTTPS and TLS 1.3.

  Correct Answer: C

  CSRF tokens are random values that are generated by the server and included in requests that perform state-changing actions. They are used to prevent CSRF attacks by verifying that the request originates from a legitimate source.

  However, if the CSRF tokens are transmitted using cookies, they are vulnerable to being stolen or forged by an attacker who can exploit other vulnerabilities, such as cross-site scripting (XSS) or cookie injection. Therefore, a better option is to

  avoid the transmission of CSRF tokens using cookies and use other methods, such as hidden form fields or custom HTTP headers. References:

  CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 11; https://owasp.org/www-community/attacks/csrf

• Question 833:

  A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

  Bursts of network utilization occur approximately every seven days.

  The content being transferred appears to be encrypted or obfuscated.

  A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

  The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

  Single file sizes are 10GB.

  Which of the following describes the most likely cause of the issue?

  A. Memory consumption

  B. Non-standard port usage

  C. Data exfiltration

  D. System update

  E. Botnet participant

  Correct Answer: C

  Explanation: data exfiltration is the unauthorized transfer of data from an organization's network to an external destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud indicates a possible command and control channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating that large amounts of data are being collected and compressed before being exfiltrated.

• Question 834:

  A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

  A. A control that demonstrates that all systems authenticate using the approved authentication method

  B. A control that demonstrates that access to a system is only allowed by using SSH

  C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment

  D. A control that demonstrates that the network security policy is reviewed and updated yearly

  Correct Answer: C

  Explanation: A valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that the firewall rules are configured correctly and securely, and that they do not allow unnecessary or unauthorized access to the perimeter network. The other options are not compensating controls or do not address the risk of active reconnaissance. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://www.isaca.org/resources/ isaca-journal/issues/2016/volume-3/compensating- controls

• Question 835:

  A technician working at company.com received the following email:

  

  After looking at the above communication, which of the following should the technician recommend to the security team to prevent exposure of sensitive information and reduce the risk of corporate data being stored on non-corporate assets?

  A. Forwarding of corporate email should be disallowed by the company.

  B. A VPN should be used to allow technicians to troubleshoot computer issues securely.

  C. An email banner should be implemented to identify emails coming from external sources.

  D. A rule should be placed on the DLP to flag employee IDs and serial numbers.

  Correct Answer: C

  Explanation: An email banner is a message that is added to the top or bottom of an email to provide some information or warning to the recipient. An email banner should be implemented to identify emails coming from external sources to prevent exposure of sensitive information and reduce the risk of corporate data being stored on non-corporate assets. An email banner can help employees recognize phishing or spoofing attempts and avoid clicking on malicious links or attachments. It can also remind employees not to share confidential information with external parties or forward corporate emails to personal accounts. The other options are not relevant or effective for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 13; https://www.csoonline.com/article/3235970/what-is-spoofing-definition-and-how-to- prevent-it.html

• Question 836:

  Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

  A. Configure the DLP transport rules to provide deep content analysis.

  B. Put employees' personal email accounts on the mail server on a blocklist.

  C. Set up IPS to scan for outbound emails containing names and contact information.

  D. Use Group Policy to prevent users from copying and pasting information into emails.

  E. Move outbound emails containing names and contact information to a sandbox for further examination.

  Correct Answer: A

  Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized disclosure of sensitive data. DLP transport rules are rules that apply to email messages that are sent or received by an organization's mail server. These rules can provide deep content analysis, which means they can scan the content of email messages and attachments for sensitive data patterns, such as client lists or contact information. If a rule detects a violation of the DLP policy, it can take actions such as blocking, quarantining, or notifying the sender or recipient. This would improve security and help prevent sales team members from sending sensitive client lists to their personal accounts. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow- rules/data-loss-prevention

• Question 837:

  The following output is from a tcpdump al the edge of the corporate network:

  

  Which of the following best describes the potential security concern?

  A. Payload lengths may be used to overflow buffers enabling code execution.

  B. Encapsulated traffic may evade security monitoring and defenses

  C. This traffic exhibits a reconnaissance technique to create network footprints.

  D. The content of the traffic payload may permit VLAN hopping.

  Correct Answer: B

  Explanation: Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique that wraps data packets with additional headers or protocols to enable communication across different network types or layers. Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated traffic . Reference: https://www.techopedia.com/definition/10339/memory-dump

• Question 838:

  An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response.

  Which of the following would best meet the organization's needs'?

  A. MaaS

  B. SIEM

  C. SOAR

  D. CI/CD

  Correct Answer: C

  Explanation: A security orchestration, automation, and response (SOAR) system is a solution that combines various security technologies and workflows to identify security issues, prioritize their severity, and automate a response. A SOAR system can help an organization consolidate its security tools and processes and standardize its workflow for incident response. The other options are not relevant or comprehensive for this purpose. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0- 002), page 15; https://www.gartner.com/en/information-technology/glossary/security- orchestration-automation-and-response-soar

• Question 839:

  A forensic analyst is conducting an investigation on a compromised server. Which of the following should the analyst do first to preserve evidence?

  A. Restore damaged data from the backup media

  B. Create a system timeline

  C. Monitor user access to compromised systems

  D. Back up all log files and audit trails

  Correct Answer: D

  Explanation: A forensic analyst is conducting an investigation on a compromised server. The first step that the analyst should do to preserve evidence is to back up all log files and audit trails. This will ensure that the analyst has a copy of the original data that can be used for analysis and verification. Backing up the log files and audit trails will also prevent any tampering or modification of the evidence by the attacker or other parties. The other options are not the first steps or may alter or destroy the evidence. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 16; https://www.nist.gov/publications/guide-collection-and-preservation-digital-evidence

• Question 840:

  A company is aiming to test a new incident response plan. The management team has made it clear that the initial test should have no impact on the environment. The company has limited resources to support testing. Which of the following exercises would be the best approach?

  A. Tabletop scenarios

  B. Capture the flag

  C. Red team vs. blue team

  D. Unknown-environment penetration test

  Correct Answer: A

  Explanation: A tabletop scenario is an informal, discussion-based session in which a team discusses their roles and responses during an emergency, walking through one or more example scenarios. A tabletop scenario is the best approach for a company that wants to test a new incident response plan without impacting the environment or using many resources. A tabletop scenario can help the company identify strengths and weaknesses in their plan, clarify roles and responsibilities, and improve communication and coordination among team members. The other options are more intensive and disruptive exercises that involve simulating a real incident or attack. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 16; https://www.linkedin.com/pulse/tabletop-exercises-explained-matt-lemon-phd